Middle East TMT - 2025 in review

Technology and Data – 2025 in review and looking ahead

As we enter 2026, we have summarised some of the key legal developments relating to technology and data that are impacting businesses in our region that occurred during 2025, and we look ahead to some anticipated developments in 2026.

2025 IN REVIEW

United Arab Emirates

Artificial Intelligence

• UAE has not moved to introduce any general regulation of AI specifically, but continues to emphasise the importance of AI capability as a national asset and strategic imperative, particularly in government and quasi-government institutions, building on longstanding national strategy plans in this space. Previously, the UAE introduced the role of Chief Executive Officer for AI in all ministries and federal entities, and the Cabinet created the UAE Council for Artificial Intelligence, tasked with proposing policies to create an AI-friendly ecosystem, encourage advanced research in the sector and promote collaboration between the public and private sectors, including international institutions to accelerate the adoption of AI. In April 2025, the UAE established the Regulatory Intelligence Office, which created a technical ecosystem using AI tools, integrating all federal and local laws in the UAE, judicial rulings, executive procedures, and public services. The aim of the system is to enable the UAE government to track the daily impact of laws on the people and economy using large-scale data and to identify potential updates to legislation. The system is also designed to integrate with global research centres to take account of best international policies and legislative practices.

Commercial Gaming

• The General Commercial Gaming Regulatory Authority was active in issuing licences to new participants in the UAE’s emerging gambling market. Following the issue of the national lottery licence to The Game LLC in 2024, Internet Gaming and Sports Wagering licences were issued to Coin Technology Projects LLC. Both The Game and Coin Technology Projects are part of the Momentum Group based in Abu Dhabi. It has been suggested in industry publications that only one gaming licence will be awarded in any emirate in each category (land, internet, sports), meaning that Momentum Group appears effectively to have been handed, thus far, a monopoly in commercial gaming in Abu Dhabi, although a land-based gaming licence in Abu Dhabi has not yet been issued. In parallel, the Wynn Al Marjan Island integrated gaming resort in Ras Al Khaimah continues to be constructed and approaching 20 licences have been awarded to suppliers of gaming products and services. Interestingly, Dubai has not yet issued any commercial gaming licences. Details of the national regulatory regime governing the industry have not been published.

Cybersecurity

• The UAE Cybersecurity Council announced the launch of three new programmes designed for readiness for post-quantum security: the National Information Assurance Programme, the National Cybersecurity Index Platform, and the National Post-Quantum Migration Programme. The UAE aims to identify vulnerable cryptographic assets, prioritize migration pathways, and guide entities with long-term data protection needs, with clear baselines, sector wide guidance, and early migration roadmaps. (Further information is available in our Law‑Now article: Cyber Space: Global insights on cyber and data risks for insurers November 2025 – What 2025 has taught us about cyber risks in the Gulf region)

Fintech

• In September, the UAE updated its banking law by issuing Federal Decree-Law No.6 of 2025 Regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business (the “New Banking Law”). This law repealed the previous banking law in the UAE. The New Banking Law signals a strategic shift by the Central Bank of the UAE (the “CBUAE”), expanding its regulatory perimeter to capture technology service providers that facilitate financial services. The New Banking Law includes the two new regulated activities of “providing open finance services”, and “providing payment services using Virtual Assets”. These two licence categories are complementary to the introduction of the CBUAE Open Financial Regulation and the Payment Token Services Regulation. A defining feature of the New Banking Law is, however, the introduction of Article 62 which represents a key departure from the previous law and brings technology service providers that facilitate licensed financial activities within the regulatory perimeter of the CBUAE. (Further information is available in our Law‑Now article: The new UAE Central Bank law: Expanding the regulatory perimeter for a digital era).

Media regulation

• Federal Decree by Law No. (11) of 2025 Establishing and Regulating the National Media Authority was published, which created a new media regulatory authority in the UAE with broad responsibilities and competencies to regulate the sector. Whilst the basic principles of media regulation have not changed, the creation of a new regulatory authority implies a renewed focus on compliance in this sector.

Online child safety

• In late 2025, the UAE published a new Online Child Safety law, effective 1 Jan 2026, with a one-year grace period for impacted businesses to become compliant. The law imposes controls on a range of platforms and websites serving content to under 18-year-olds in the UAE, whether the business behind the offering is based in the UAE or overseas. The law also creates obligations on parents and caregivers to protect children from online harms.

Healthcare

• Federal Decree-Law No. 38/2024 Regarding Medical Products, the Pharmacy Profession, and Pharmaceutical Establishments took effect 2 January 2025. The law introduces, among other changes, new definitions for nutritional supplements and reallocates certain functions from the Ministry of Health and Prevention to a newly established sector regulator, the Emirates Drug Establishment (“EDE”). While the new law does not constitute a wholesale change to the previous legal framework, it introduces material developments that healthcare operators should be aware of and assess in the context of their UAE operations.

Hemp and Cannabis Products

• Federal Decree-Law No. 24 on the Regulation of Industrial and Medical Uses of Industrial Hemp was signed into law in late 2025 and enters law on 1 January 2026. This law remains subject to implementing regulations which, according to Article 16 of the law, will regulate the “sale or purchase of [industrial hemp] products, offering them for sale, [or] marketing them”. Retailers will be closely monitoring developments with respect to this law in 2026.

Saudi Arabia

Artificial intelligence

• The Saudi Data and Artificial Intelligence Authority (SDAIA) has, throughout 2025, updated and promulgated its public Guidelines on Generative Artificial Intelligence, which consolidate core principles of responsible AI (fairness, transparency, accountability, and privacy/security) and set out practical risk mitigations, including disclosure of synthetic content, governance measures and human oversight, with explicit cross‑references to the PDPL. At the international level, the Kingdom has reinforced its leadership on AI ethics, with SDAIA contributing to UNESCO frameworks and the Riyadh Charter on AI for the Islamic World, signalling that sectoral regulators will continue to evaluate AI through a combined lens of responsible use and national data sovereignty. Product teams deploying large language models (LLMs) in Saudi Arabia should operationalise these checklists, although non‑binding, they are poised to function as the de facto benchmark in supervisory reviews, audits and investigations.
• The Communications, Space & Technology Commission (CST) released a consultation draft of the Global AI Hub Law. Despite its title, the draft functions primarily as a data infrastructure legislation, creating a legal basis for ‘data embassies’ which are designated facilities (or segregated parts of facilities) in Saudi Arabia where data owned by a foreign state or enterprise may be hosted under the guest jurisdiction’s law. The draft sketches several models with differing degrees of sovereignty and operational control (including private, extended and virtual hubs). While the final text of the law has not yet been issued, if enacted substantially as proposed, the regime would give statutory certainty to sovereign hosting arrangements that elsewhere rely on bespoke treaties or contracts. (Further information is available in our Law‑Now article: Shaping the future of data sovereignty: Saudi Arabia issues new draft global AI hub law).

Data protection

• The Saudi Personal Data Protection Law (PDPL) completed its first full year of enforcement in 2025, with the regulator (SDAIA) signalling a measured yet substantive supervisory approach. During the year, SDAIA activated complaints committees, issued operational guidance (including on the designation and remit of DPOs, privacy‑notice content and data destruction/anonymisation), and proposed amendments intended to tighten notice requirements, strengthen accountability (notably record‑keeping and DPO responsibilities) and confirmed that promotional communications require prior, explicit consent. Notwithstanding the absence of high profile fines, organisations should remain audit ready and anticipate closer supervisory engagement. The law already provides for administrative penalties of up to SAR 5 million (which may be doubled for repeat violations) and criminal liability for the intentional, harmful disclosure of sensitive personal data. (Further information is available in our Law‑Now article: One year on: Saudi Arabia’s Personal Data Protection Law).
• Cross‑border transfers remained the highest impact area for organisations. Earlier in the year, SDAIA issued a non-binding Risk Assessment Guideline that effectively sets the documentation and control standard for exports of personal data, especially when organisations rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), or when transfers of sensitive data are continuous or widespread. The guideline’s four‑phase method (preparation, impact and risk analysis, transfer risk assessment, and  national interest considerations) dovetails with the 2024 Transfer Regulation, but importantly, SDAIA has not yet published its “adequacy/whitelist” of countries, keeping most businesses on the safeguards and risk assessment path. Practically, this means mapping flows, choosing a lawful mechanism, running and documenting transfer impact assessments, and factoring national interest considerations until adequacy decisions arrive.

Cybersecurity

• In the cybersecurity domain, 2025 marked both a consolidation of foundational requirements and a broadening of regulatory scope. The National Cybersecurity Authority (NCA) updated its two cornerstone frameworks: Essential Cybersecurity Controls (ECC 2‑2024) and Cloud Cybersecurity Controls (CCC 2‑2024), with the CCC expressly reflecting revisions related to data localisation. Later in the year, the NCA promulgated a new control set for private sector entities outside Critical National Infrastructure (CNI), representing a strategic shift from a CNI centric regime to an economy wide baseline and paving the way for 2026 implementation milestones and potential supervisory audits. Collectively, these measures elevate the imperative for demonstrable control maturity, rigorous cloud tenant due diligence and localisation  architectural design across Saudi operations. (Further information is available in our Law‑Now article: Cyber Space: Global insights on cyber and data risks for insurers November 2025 – What 2025 has taught us about cyber risks in the Gulf region).

Cloud

• The Communications, Space and Technology Commission (CST) continues to enforce the Cloud Computing Service Provisioning Regulations (version 4), which supersede the prior Cloud Computing Regulatory Framework (version 3). For cloud customers, particularly those in regulated sectors, these requirements intersect with data classification and data residency obligations that determine the lawful placement of workloads and the design of provider control environments. Cloud customers should map information assets to CST’s classification tiers, align deployment models with sector specific localisation expectations, and ensure that their technical and procedural safeguards remain harmonised with the National Cybersecurity Authority’s Essential Cybersecurity Controls (ECC) and Cloud Cybersecurity Controls (CCC).

Digital Government

• In the digital government sphere, 2025 saw further maturation of policy and delivery. The national portal reflects adoption of the Digital Government Strategy (2025–2030), with renewed emphasis on a regulated ecosystem, notably digital identity and trust, alongside harmonised, adaptive regulation and clearly defined service quality KPIs for 2025. In parallel, SDAIA conducted an expedited public consultation on proposed General Rules for the Secondary Use of Data, intended to formalise public–private data sharing arrangements. These measures constitute a critical precursor to scaled, compliant data exchange across smart city, healthcare, mobility and fintech domains. Final promulgation of the rules remains a material 2026 watchpoint for entities seeking to establish data partnerships with ministries and other public authorities.

Fintech

• The Saudi Central Bank (SAMA) issued a draft update to the Oversight Framework for Payment Systems and Their Operators, aligning it with the Law of Payments and Payment Services and the PFMIs. The consultation window was for 15 days, with potential final issuance in 2026. The update is expected to clarify systemically important payment system (SIPS) designations, introduce tiered obligations and require more structured self‑assessments. (Further information is available in our Law‑Now article: SAMA launches consultation to the Oversight Framework for Payment Systems and Their Operators: A Modernised Payments Framework in the Kingdom of Saudi Arabia).
•  Concurrently, the Capital Market Authority (CMA) expanded its FinTech Lab to include AI‑enabled advisory, with permits announced in December 2025, and consulted in August–September 2025 on allowing licensed institutions to offer robo‑advisory on a broader, business as usual basis. Payment system operators should prepare for a more explicit prudential and operational cadence, including PFMI‑style self‑assessments, stronger governance and clearer incident expectations, while wealth and retail platforms should establish robust model governance controls and disclosures for algorithmic advice.

Türkiye

Cybersecurity

• Turkey adopted a new Cybersecurity Law, which entered into force on 19 March 2025. The Law establishes a comprehensive cybersecurity framework, designates cybersecurity as a national security priority, and applies broadly to public and private entities operating in cyberspace. It introduces enhanced obligations for critical infrastructure operators, cybersecurity service providers, and IT companies, including licensing, audit, incident-reporting, and compliance requirements under the supervision of the Cybersecurity Presidency. The Law is backed by significant administrative fines and criminal sanctions for non-compliance, cyber incidents, and regulatory breaches. (Further information is available in our Law‑Now article: Türkiye adopts first Cybersecurity Law).

Data protection

• On 10 November 2025, the Turkish Personal Data Protection Board announced that it had granted Türkiye’s first approval for a cross-border personal data transfer based on a non-international agreement, concluded between Directorate General of Migration Management of the Ministry of Interior of Türkiye and the United Nations High Commissioner for Refugees. The decision marks the first practical application of the new cross-border transfer mechanism introduced by the 2024 amendments to the Personal Data Protection Law, confirming that non-international agreements containing appropriate data-protection safeguards may serve as a lawful basis for cross-border transfers, subject to prior Board approval.
• The Turkish Data Protection Authority published several explanatory guidelines throughout 2025, including the Guide to Transferring Personal Data Abroad, the Guide to Processing Special Category Personal Data, and updated Questions and Answers on the Data Controllers Registry Information System (VERBİS) Guide. Administrative fines under the Personal Data Protection Law were updated for 2026 and officially published on 31 December 2025, reflecting the annual revaluation rate.

Healthcare

• On 3 December 2025, Turkey amended the Regulation on Personal Health Data, aligning health-data processing, access, and disclosure rules more closely with the strict lawful bases set out under Article 6(3) of the Personal Data Protection Law. The amendments tighten lawful processing conditions for health data, introduce clearer access controls for the e-Nabız digital health system, limit Ministry of Health access to anonymised data, and update operational rules on parental access, caregiver access, and data retention. The changes aim to strengthen compliance, transparency, and individual control within Turkey’s digital health infrastructure. (Further information is available in our Law‑Now article: Türkiye updates personal health data rules to align with law and access controls).

AI and online content

• On 5 December 2025, Turkey submitted to parliament a Draft Law amending Law No. 5651 on the Regulation of Publications on the Internet, marking its first legislative step towards the criminal regulation of AI-generated content. The Draft Law introduces a mandatory labelling requirement for AI-generated content and links the dissemination of unlabelled AI content to the criminal offence of publicly disseminating misleading information. Non-compliance may result in content removal measures and criminal liability, including imprisonment, with aggravated penalties in cases involving identity concealment or organised activity. (Further information is available in our Law‑Now article: Türkiye Introduces Criminal Regulation for AI Content).

Digital copyright

• Turkey submitted a Draft Law on Digital Copyrights to the Grand National Assembly on 12 December 2025, aiming to establish a comprehensive legal framework for copyright protection in digital environments. The Draft Law introduces platform obligations, enhanced protection of authors’ economic and moral rights, licensing of news content with mandatory revenue sharing, fair use exceptions, and expedited dispute resolution mechanisms. It also envisages the establishment of a dedicated Copyright Monitoring Authority and Board, administrative fines linked to platform revenues, and incentive programmes to support compliant platforms and the development of creative industries. (Further information is available in our Law‑Now article: Türkiye’s draft law on digital copyrights submitted to national parliament).

Oman

Data Protection

• Ministerial Decision No. 6/2025, issued in June 2025, amended the PDPL Executive Regulations (MD 34/2024) by extending the compliance grace period from one year to two years, i.e. to 5 February 2026.

Electronic Transactions Law Reform

• Royal Decree No. 39/2025 introduced a modernised Electronic Transactions Law, replacing the 2008 framework.

National AI Governance Framework

• The Ministry of Transport, Communications and Information Technology issued the Public Policy for the Safe and Ethical Use of Artificial Intelligence Systems, establishing Oman’s national reference framework for AI governance.

Egypt

Data protection

• Egypt has taken a significant step toward full implementation of its Personal Data Protection Law (Law No. 151/2020) (PDPL) with the issuance of Executive Regulations under Ministerial Decision No. 816/2025. The issuance of the Regulations starts the one‑year compliance grace period, meaning that organisations operating in or targeting Egypt should ensure they achieve full compliance by the end of 2026.
• Alongside the Regulations, the Personal Data Protection Centre has released a set of operational guidelines, offering practical direction on topics such as lawful bases, consent, privacy notices, licensing, electronic direct marketing, Records of Processing Activities, and Data Protection Officers.

2026 ANTICIPATED DEVELOPMENTS

United Arab Emirates

Data protection

• The UAE’s executive regulations to implement the Personal Data Protection Law remain pending. As the law stands, once the regulations are published, a short six-month grace period will begin before all businesses processing personal data of people residing in the UAE must become compliant with the GDPR-style law.

Processing personal data using Artificial Intelligence

• The DIFC is expected to commence more active enforcement of the Data Protection Regulations Article 10, a legal provision which imposes controls over, and mandates conformity to certain standards of, automated systems which process personal data falling within the scope of the DIFC’s Data Protection Law 2020.

Artificial Intelligence

• A general regulation of AI seems unlikely, but government bodies and authorities are expected to continue developing their own policies and guidelines for use, procurement and design, supplementing existing documents. It will be interesting to see if the UAE considers a law similar to the proposed Saudia AI and Data Sovereignty law.

Saudi Arabia

Data Protection

• Further investigations by SDAIA are expected, with potential public decisions on breaches.
• Key PDPL aspects remain pending confirmation such as publication of the revised Implementing Regulations and confirmation of the adequacy list for international data transfers, which will be critical for cross-border compliance planning.

Türkiye

Online child safety

• In 2026, Turkey is expected to advance legislative efforts to regulate social media use by children under the age of 15. According to statements by the Minister of Family and Social Services, a draft omnibus bill containing proposed restrictions and safeguards for under-15 users is anticipated to be submitted to the relevant parliamentary committee, signalling increased regulatory focus on child protection in digital environments.

Cybersecurity

• The implementation principles and procedures for the obligations set forth under the Cybersecurity Law will be further detailed by the Cybersecurity Directorate through secondary legislation, expected to be issued in 2026.

Oman

Data protection

• With the extended compliance period expiring in February 2026, the regulator’s enforcement under the PDPL is expected to start. Business subject to the Oman PDPL now have a very limited time window in which to ensure that they are compliant.

Telecommunications & IT Regulatory Reform

• Following the referral of the draft law to the State Council in 2025, the Telecommunications and IT Regulatory Law is expected to be finalised and enacted in 2026. The new law is intended to replace the Telecommunications Regulation Law, originally issued by Royal Decree No. 30/2002, and is designed to align with the evolving local and global landscape in the telecommunications and information technology sectors.